Standard user disabling security software without UAC support

I'm currently working on a security configuration for W7X64 Pro using local group policies, UAC and standard user accounts.

I had composed a shortlist with security programs I already evaluated using the administrative user account.

For security software I use the following principle: the security product should prevent regular end users from disabling the product.

I discovered that after I installed various security programs using the administrative user account, a standard user account can click on the systray icon and disable or reconfigure the product.

Some programs did support passwords, but I still prefer UAC support.

During my limited testing I found that Microsoft Security Essentials, NOD32 and Windows Firewall support UAC. Using these products standard users are not allowed to disable or configure these programs without an UAC prompt.

I would like to know if I did overlook something in my testing or is it actually possible to disable/reconfigure various security software as standard user?

My goal is to separate standard user and administrative user. Standard user can perform daily tasks and the administrative user can install software or configure system settings.

I don't want standard users having full access to security software installed by the administrative user. They should be prompted by UAC for privilege escalation.

I could't reproduce this issue with Windows Defender. I can access it, but trying to disable the product via Tools > Options > Administrator > "Use this program" is protected by privilege escalation through UAC.

My goal is to separate standard user and administrative user. Standard user can perform daily tasks and the administrative user can install software or configure system settings.

I don't want standard users having full access to security software installed by the administrative user. They should be prompted by UAC for privilege escalation.

I could't reproduce this issue with Windows Defender. I can access it, but trying to disable the product via Tools > Options > Administrator > "Use this program" is protected by privilege escalation through UAC.

Click to expand...

I don't know if this will help or not, but did you try to make those security applications start under the Administrator credentials, rather than the standard user?

Security software should come with a password setting to prevent tampering.

i was talking about the windows defender feature that will notify you about changes made by unclassified software.

you cannot make decision whether to permit/deny changes made by an unclassified software when Windows Defender prompts about it. that is under LUA/Standard user

Click to expand...

That's how it should work. Don't forget that Windows Defender doesn't exist only for home users, or that every home user is the Administrator of that system. In these cases, the Administrator is the one who should make the decisions, not the standard users.

your principle is good. ^_^
I hope your security software will also help improve my scores in Belarc Advisor.

m00nbl00d said:

That's how it should work. Don't forget that Windows Defender doesn't exist only for home users, or that every home user is the Administrator of that system. In these cases, the Administrator is the one who should make the decisions, not the standard users.

Click to expand...

but i know the admin password.
I can't install the unclassified program correctly even after Running as Admin. because I cant permit changes in windows defender.

I don't know if this will help or not, but did you try to make those security applications start under the Administrator credentials, rather than the standard user?

Click to expand...

I installed them under the administrative user. Logged off. Logged in as standard user. The security applications GUI part were started through autorun and accessible to the standard user via the systray. Once the GUI part was accessed by the standard user, he was permitted to disable/reconfigure the security program.

m00nbl00d said:

Security software should come with a password setting to prevent tampering.

Click to expand...

Agreed, but some didn't or were not easy to locate. With UAC programs are automatically protected.

I installed them under the administrative user. Logged off. Logged in as standard user. The security applications GUI part were started through autorun and accessible to the standard user via the systray. Once the GUI part was accessed by the standard user, he was permitted to disable/reconfigure the security program.

Agreed, but some didn't or were not easy to locate. With UAC programs are automatically protected.

Click to expand...

I meant, have you tried to remove the autorun entries for the standard user accounts, and then create tasks to start those very same programs as Administrator? I should had said it clearly, sorry.

Yes. No. I think this is not the right place to ask about suggestion for WD no? Thanks.

[...]

Click to expand...

That wasn't my intention, but, for what I've seen so far, not so many people is using Windows Defender. They've moved on to Microsoft Security Essentials, that I could find doesn't have that same ability has Windows Defender.

So, perhaps, you'd find more issues like the one you have on the Microsoft forums, and find the help you need, I guess.

This was my only intent, when suggesting you to go check at Microsoft's forums.

Sorry, if somehow, I made you think you couldn't be helped here. I'm no one to say you can't be helped here.

That's even a better approach than the one I suggested! Sometimes, simpler solutions are in front of our eyes, but we do tend to complicate, don't we?

Thanks for sharing.

Click to expand...

Glad i could help!

@ diginsight

I think this behaviour occur by design to not bother limited users with to much prompts. I not found the thread but i remember reading that the a-squared antimalware 4x have that service running only to permit start it under a standard user account without a prompt. If you disable the service, it ask you for ADM privileges.

Another one that ask for ADM privileges to show GUI is Shadow Defender.

That wasn't my intention, but, for what I've seen so far, not so many people is using Windows Defender. They've moved on to Microsoft Security Essentials, that I could find doesn't have that same ability has Windows Defender.

So, perhaps, you'd find more issues like the one you have on the Microsoft forums, and find the help you need, I guess.

This was my only intent, when suggesting you to go check at Microsoft's forums.

Sorry, if somehow, I made you think you couldn't be helped here. I'm no one to say you can't be helped here.

Click to expand...

lol. Don't worry I didnt misunderstand you at all
I dont use WD now and I feel lazy to go to MS forums anyway

your principle is good. ^_^
I hope your security software will also help improve my scores in Belarc Advisor.

Click to expand...

Actually the principle is from Roger Grimes' Professional Windows Desktop and Server Hardening, which I consider to be one of the best books written on this topic.

Didn't know about the Belarc Advisor. After reviewing information it could be useful to benchmark the configuration. For building W7 security configuration I'm also using CIS Benchmark for Windows 7. Surprisingly Belarc supports Windows 7, but doesn't mention the CIS W7 Benchmark.

So you're using UAC to protect your security app?

Click to expand...

I like the UAC concept for privilege escalation. I took it a bit further and enabled a policy that denies privilege escalation to standard users. This in effect will prevent standard users from being prompted to provide credentials for an admin account. Instead they receive an error message when they try to access UAC protected functions. The goal is to prevent standard users from having to make security decisions. The administrative user, is the only user allowed to raise privileges.

I want to apply this concept to security programs, thus preventing access from standard users and them having to make security decisions.

how about ASLR?

Click to expand...

The links mentions several AV products not using ASRL nor DEP. Off course MSE supports both. I'm not convinced AV on desktops is that important as an attack vector to require exploit mitigation like ASLR and DEP. For MSE, being an popular AV product, this might be a different and Microsoft certainly did well to implement it.

As to attack vector I think the Secunia report on DEP/ASRL has more importance as vulnerabilities in popular program are also popular targets for exploits and can benefit from exploit mitigations like DEP/ASRL.

m00nbl00d said:

I meant, have you tried to remove the autorun entries for the standard user accounts, and then create tasks to start those very same programs as Administrator? I should had said it clearly, sorry.

Click to expand...

s23 said:

And if you remove the registry key starting the tray icon and identify the main executable (that permit access to the UI) and change in properties=> Compatibilty=> Run this program as administrator?

I tried here in Avast and worked.

Click to expand...

Both excellent suggestions and easy to implement. I tried this with one program. After changing the GUI part to run as administrator it refused to start with the standard user even without having disabled the autorun. The GUI is an essential part of this program. Without it, I don't know if the program still functions. When I start the GUI part manually I'm prompted to raise elevation, which reintroduces the original problem of standard users having full access. If I want to keep using this program I guess I have to enable it's password protection.

I still think both suggestions are excellent solutions for programs that don't rely on the GUI part to function.

s23 said:

I think this behaviour occur by design to not bother limited users with to much prompts.

Have you considered modifying reg keys or the program executeable, program directory, program dependencies (like config/ini files) to take away modify rights for specific users/groups? Most likely the process can be started with high integrity level, where a medium integrity level process (users have this) can read/execute, but not write.

While I haven't given this much thought nor tried it, I should think one could set the rights so that an non-elevated user (those without high integrity level) could be restricted. Fallback to actual ACE for each aspect if needed.

Some food for thought anyway. Maybe you have already investigated this avenue.